initgroups for already logged in users should not cause long delays

[sssd-bot]

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/4098

• Created at 2019-10-15 17:56:50 by simo
• Assigned to sbose

---

initgroups is always done online even when a user has an active session in the system and therefore updating initgroups is not relly that important (most authentications are either sudo or lockscreen related and are not expected to really have any changes to the user group definition (and even if they did they would not apply to the existing session).

(Pam) Initgroups requests should be smarter and use the cache when a user session already exists on the system

Comments

---

Comment from sbose at 2020-03-13 12:24:21

PR: #1005

---

Comment from sbose at 2020-03-13 12:24:25

Metadata Update from @sbose:

• Issue assigned to sbose

---

Comment from thalman at 2020-03-13 15:29:02

Metadata Update from @thalman:

• Issue tagged with: Next milestone

[pbrezina]

• master
  • 272efe4 - pam: make sure initgr cache is not created twice
  • 74f0a45 - cache_req: no refresh with CACHE_REQ_BYPASS_PROVIDER
  • 68aa68e - pam: use pam_initgroups_scheme
  • b66f0e4 - pam: add option pam_initgroups_scheme
  • d2424bf - pam: Use cache for users with existing session
  • b572871 - cache_req: introduce cache_behavior enumeration

[sumit-bose]

Issue linked to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1803134

[pbrezina]

Pushed PR: #5222

• master
  • 100839b - PAM: do not treat error for cache-only lookups as fatal